I think you could recreate the entry. The information can be found in "o=ipaca"
ldapsearch -D "cn=directory manager" -W -b
(remember that in RHEL6 you will need to query instance in 7389 port, that is
to say, add "-p 7389 -h localhost" to the ldapsearch command).
And recreate your entry with this information:
cACertificate;binary: <value found in the former command, in the
Another possibility. If this deleted entry has not been purged, you could find
still the information as a tomsbtone. And then, re-create the entry with the
information in the tombstone:
ldapsearch -D "cn=directory manager" -W -b "dc=example,dc=test"
you will see an entry with a dn of this sort:
And you could add a new entry (shown before) with the exact information found
in the tombstone, changing the dn by the right one, of course.
----- Original Message -----
> From: "Danielle M Witherspoon" <dmwit...@us.ibm.com>
> To: firstname.lastname@example.org
> Sent: Wednesday, December 23, 2015 8:08:20 PM
> Subject: [Freeipa-users] (no subject)
> Hello everyone,
> We've run into an issue with our instance of IPA. Our LDAP certificate was
> deleted with the command "ldapdelete -Y GSSAPI
> "cn=CAcert,cn=ipa,cn=etc,dc=example,dc=test"". When we now attempt to enroll
> servers as IPA clients, we get the following (sanitized for this email)
> [root@server1 ~]# ipa-client-install –enable-dns-updates
> Discovery was successful!
> Hostname: server1.SERVER.local
> Realm: SERVER.LOCAL
> DNS Domain: SERVER.local
> IPA Server: ipaserver1.SERVER.local
> BaseDN: dc=server dc=local
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: bob
> Synchronizing time with KDC...
> Password for bob@SERVER.LOCAL:
> Cannot obtain CA certificate
> 'ldap://ipaserver1.SERVER.local' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> Advice on how to remediate this issue would be welcomed with open arms.
> Thank you for your time,
> Danielle Witherspoon
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project